A quick intro to using mitmproxy to
man-in-the-middle an SSH connection.

So you want to sniff an SSH connection (that you have access to) but wireshark
is giving you junk? Luckily someone has written a tool for that. The
mitmproxy by Maximilian Hils allows
you to plop a fake server in between your SSH client and the SSH server
you're connecting to.

(Confusingly this is not the same as the other, more well known
mitmproxy which only does HTTPS and HTTP)

I wanted to have a nose at the data sent from git to github over SSH. This is
what I did.

I wanted to turn my Raspberry Pi in to a "fake" wireless access point that would accept
Wi-Fi connections without a password but sandbox all requests to a local web server,
like some hotel Wi-Fi you might encounter.

It turns out that to achieve this you need a Wi-Fi dongle that supports "AP Mode".
I ended up ordering an Edimax EW-7711UAN which has worked perfectly in AP mode with the pi so far.

For this tutorial I am assuming that your pi is physically connected to your network via a LAN cable (on eth0). We can't set this up over Wi-Fi because the Wi-Fi network is going to be sandboxed.

Testing

If you do a Wi-Fi search on your laptop or phone you should now see "NotFreeWifi". If you connect and type in "www.blaargh.com" you should get the message we wrote out earlier.

Conclusion

Now if you're a normal human being you've probably just blindly pasted these commands in to your shell. If you'd like to know what you've set up, then read on!

Using hostapd we've set up our wireless dongle to take unsecured (no passwords) connections using the SSID "NotFreeWifi". This will allow anyone with Wi-Fi on their laptop or phone or whatever to connect to the pi.

On it's own this won't do much - clients won't be able to do anything once they connect -so we've setup Dnsmasq to give clients I.P. addresses and tell them use 10.0.0.1 (the pi's I.P.) as a gateway.

We've also used Dnsmasq to provide a DNS server which we've (rather sneakily) set up to give the address 10.0.0.1 to any request. So if someone tries to visit facebook.com, we tell them the address is 10.0.0.1

Finally we've set up a webserver on the pi - so when users do try and go to facebook.com they actually connect to our pi - where we say hello to them.

Results

I've been running this on my pi for a week now and because of it's location I wasn't expecting to get any connections. Which is why I was pretty surprised to see that 5 people who weren't me have connected:

Super low budget VPS servers make an ideal home for your own honeypot, this
post takes you through setting up a feature packed honeypot on a TinyVZ VPS.

I'm always on the look out for a cheap place to a host a honeypot which is why
I was pretty intrigued when I came accross a few companies offering $15
per year virtual private servers.

This offer does seem to good to be true - and I don't plan on hosting anything
important on my VPS - but I've been running one with TinyVZ
for 3 months now and had no problems to speak of.

So, here's a quick guide to setting up your own $15 honeypot - though please
don't treat this as a glowing endorsement of super cheap VPSs, when I paid my
$15 I treated it more as placing a bet than purchasing a service.

I have chosen TinyVZ as the host for this guide, you can
almost certainly do this on other
similarly cheap hosts.
Because this guide uses my
honeypot setup script
most of it revolves around navigating TinyVZ's control panel. I am not
affiliated with TinyVZ.

TinyVZ have confirmed that they are happy for their customers to run honeypots.

Conclusion

Tada - you should now have a full Kippo
and Dionaea install. You can monitor
/var/kippo and /var/dionaea for logs and binaries.

Security Considerations
The default setup you are left with on this server is iffy at best. You should
not really be logging in as root, I would advise at the very least following
this guide on securing SSH.